Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VideoInfoScanner: Correctly redact URLs #15228

Merged
merged 1 commit into from Jan 11, 2019

Conversation

@pkerling
Copy link
Member

commented Jan 10, 2019

CURL::GetRedacted does not work on decoded URLs since e.g. the password
part may include an encoded @ (%40) that in decoded form will confuse
the redaction and expose part of the password. Also, there is no
particularly strong reason to decode URLs for log messages here.
When matching the regular expressions, however, the URL must be decoded,
but the username/password details are not important, so redact them
before matching. Otherwise, they might get exposed during further
logging done on the decoded URLs.

Fixes #15160

CURL::GetRedacted does not work on decoded URLs since e.g. the password
part may include an encoded @ (%40) that in decoded form will confuse
the redaction and expose part of the password. Also, there is no
particularly strong reason to decode URLs for log messages here.
When matching the regular expressions, however, the URL must be decoded,
but the username/password details are not important, so redact them
before matching. Otherwise, they might get exposed during further
logging done on the decoded URLs.
@MartijnKaijser

This comment has been minimized.

Copy link
Member

commented Jan 11, 2019

Jenkins build this please

1 similar comment
@MartijnKaijser

This comment has been minimized.

Copy link
Member

commented Jan 11, 2019

Jenkins build this please

@MartijnKaijser MartijnKaijser merged commit baff0a1 into xbmc:master Jan 11, 2019
1 check passed
1 check passed
default You're awesome. Have a cookie
Details
MartijnKaijser added a commit to MartijnKaijser/xbmc that referenced this pull request Jan 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.